Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10802: Security - PMASA-2020-3

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

CVE
#sql#vulnerability#web#php#perl

Announcement-ID: PMASA-2020-3

Date: 2020-03-20

Updated: 2020-03-22

Summary

SQL injection relating to searching

Description

An SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions within phpMyAdmin.

An attacker can generate specially-crafted database or table names. The attack can be performed if a user attempts certain search operations on the malicious database or table.

Severity

Because of the specific steps required to exploit this, we consider this vulnerability to be of moderate severity.

Affected Versions

phpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.

Solution

Upgrade to phpMyAdmin 4.9.5 or 5.0.2 or newer or apply patch listed below.

References

Thanks to hoangn144_VCS and Yutaka WATANABE for reporting these vulnerabilities.

Assigned CVE ids: CVE-2020-10802

CWE ids: CWE-661

Patches

The following commits have been made to fix this issue:

  • a8acd7a42cf743186528b0453f90aaa32bfefabe

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907